SQL Injection Vulnerability in Vehicle Management System 1.0 - 1.3# CVE-2024-48245
SQL Injection Vulnerability in Vehicle Management System 1.0 - 1.3
# Description
Vehicle Management System 1.0 is vulnerable to SQL Injection. Low-authenticated guest users or administrative accounts can exploit vulnerable POST parameters in several endpoints to execute arbitrary SQL commands. This can lead to unauthorized database access, data retrieval, or privilege escalation.
# Affected Parameters:
Booking ID
Action Name
Payment Confirmation ID
# Affected Endpoints:
/vehicle-management/newvehicle.php
/vehicle-management/newdriver.php
# Vulnerability Details
Type: SQL Injection
Vendor: Vehicle Management System
Affected Version: 1.0
# Attack Vectors
Guest User: Exploits can be performed via the Booking Action Name parameter during vehicle booking.
Admin User: Additional affected components accessible through the admin interface.
# Impact:
Exploiting this vulnerability allows attackers to:
Bypass authentication or access sensitive information.
Manipulate or delete database records.
Escalate privileges and execute unauthorized administrative actions.
# Mitigation:
Validate and sanitize all user input, especially POST parameters.
Use parameterized queries or prepared statements to prevent SQL Injection.
Restrict access to sensitive endpoints and enforce strong authentication measu
[4.0K] /data/pocs/eac0a21008c11aa1169c5b5765ea621ce11eea47
├── [1.0K] LICENSE
└── [1.3K] README.md
0 directories, 2 files